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(54) Method for sending a secure communication in a telecommunications system 



(57) A method for sending a secure comunication in 
a telecommunications system using public encryption 
keys. A secure communication may be sent from a first 
transceiver to a second transceiver through the system. 
The method allows authentication of each transceiver 
by the other, provides an integrity check on the commu- 
nication, and disallows repudiation of the communica- 
tion by the sending party. Authentication of the commu- 
nication may be proven at each of the first and second 
transceivers, through the use of a authentication certif- 
icate for each of the first and second transceivers that 
is generated and stored at a security center in the sys- 
tem, such as a short message service center. As the 
communication is sent through the system, each user 
of a transceiver may authenticate the other transceiver 
by authenticating the certificate of the other transceiver, 
upon receiving the certificate from the system. Integrity 
and non repudiation for the communication is achieved 
by utilizing the public encryption and private decryption 
keys of the security center at the first and second trans- 
ceivers. 
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Description 

[0001] This invention relates to encryption techniques 
for telecommunications systems and, more particularly, 
to a method for sending a secure communication in a 
telecommunications system using public encryption/de- 
cryption key algorithms. 

[0002] Advances in telecommunications systems 
technology have resulted in a variety of telecommuni- 
cations systems and services being available for use. 
These systems include cellular telephone networks, 
personal communications systems, various paging sys- 
tems, and various wireline and wireless data networks. 
Cellular telephone networks currently in use in the Unit- 
ed States include the AMPS analog system, the digital 
IS-136 time division multiplexed (TDMA) system, and 
the digital IS-95 digital code division multiplexed (CD- 
MA) system. In Europe the Global Services for Mobile 
(GSM) digital system is most widely used. These cellular 
systems operate in the 800-900 MHz range. Personal 
communications systems (PCS) are also currently be- 
ing deployed in the United States. Many PCS systems 
are being developed for the 1800-1900 MHz range, 
some based on one or another of the major cellular 
standards. 

[0003] The newer digital systems such as GSM, IS- 
136, and IS-95 have been developed so as to include 
encryption services for communication privacy. The dig- 
ital nature of the speech or data signals carrying the 
communications between two users in these digital sys- 
tems allows the signals to be processed through an en- 
cryption device to produce a communications signal that 
appears to be random or pseudorandom in nature, until 
it is decrypted at an authorized receiver. When it is de- 
sired to send a secure message in such a system, the 
encryption feature of the system can be used to encrypt 
the message. As an example, the short message serv- 
ice (SMS) feature specified in these standards could be 
used to send a text message that is encrypted over the 
air interface according to the system encryption algo- 
rithm. Voice communications could also be encrypted 
using the system encryption algorithm. 
[0004] In the GSM, IS-136, and IS-95 systems, the 
encryption is performed on message transmissions be- 
tween each user and the system by using a secret key 
value, "session key", where the key is known only to the 
system and the user communicating with the system. 
The system standards under consideration for PCS net- 
works may also include encryption services that are 
based on the encryption techniques specified in the dig- 
ital standard from which a particular PCS standard is 
derived, i.e., GSM, IS-136, or IS-95. 
[0005] In GSM the system operator controls the se- 
curity process by issuing a subscriber identity module 
(SIM) to each system user The SIM is a plug-in chip or 
card that must be inserted into a mobile station that a 
user intends to make or receive calls through. The SIM 
contains a 128-bit number called the Ki that is unique 



for each user. The Ki is used for both authenticating and 
deriving an encryption key. In GSM a challenge and re- 
sponse procedure is used to authenticate each user and 
generate encryption bits from Ki for the user. The chal- 
lenge and response procedure may be executed at the 
discretion of the home system. 

[0006] When a GSM mobile is operating in its home 
system after the user has identified himself by sending 
in his international mobile system identity/temporary 
mobile system identities (IMSI/TMSI), a 128-bit random 
number (RAND) is generated in the system and com- 
bined with the mobile user's Ki to generate a 32-bit re- 
sponse (SRES). The system then transmits RAND to 
the mobile which, in turn, computes its own SRES value 
from the mobile user's Ki and transmits this SRES back 
to the system. If the two SRES values match, the mobile 
is determined to be authentic. Encryption bits for com- 
munications between the mobile and system are gener- 
ated in both the mobile and network by algorithms using 
RAND and Ki to produce an encryption key "Kc". Kc is 
then used at both ends to encrypt and decrypt commu- 
nications and provide secure communications. When a 
GSM mobile is roaming, the RAND, SRES and Kc val- 
ues are transferred to a visited system upon registration 
of the user in the visited system or upon a special re- 
quest from a visited system. The Ki value. is never avail- 
able other than in the home system and the user's SIM. 
[0007] The IS-136 and IS-95 authentication and en- 
cryption procedures are identical to each other and sim- 
ilar to the GSM authentication and encryption proce- 
dures. In IS-136 and IS-95 systems a challenge re- 
sponse method is also utilized. The IS-136 and IS-95 
method utilizes a security key called the N A-key". The 
64-bit A-key for each mobile is determined by the sys- 
tem operators. The A-key for each mobile is stored in 
the home system of the mobile's owner and in the mobile 
itself. The A-key may be initially communicated to the 
mobile owner in a secure manner such as the United 
States mail. The owner can then enter the A-key into the 
mobile via the keypad. Alternately, the A-key may be 
programmed into the mobile station at the factory or 
place of service. The A-key is used to generate shared 
secret data (SSD) in both the mobile and the home sys- 
tem from a predetermined algorithm. SSD for each mo- 
bile may be periodically derived and updated from the 
A-key of that particular mobile by use of an over the air 
protocol that can only be initiated by the home system 
operator. 

[0008] In IS-1 36 and IS-95 authentication and encryp- 
tion, a 32-bit global challenge is generated and broad- 
cast at predetermined intervals within systems in the 
service area of the mobile. When a mobile attempts sys- 
tem registration/call setup access in the home system, 
the current global challenge response is used to com- 
pute, in the mobile, an 18-bit authentication response 
from the mobile's SSD. An access request message, in- 
cluding the authentication response and a call count val- 
ue for the mobile, is then sent to the home system from 
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the mobile. Upon receiving the access request the home 
system will compute its own response value using the 
global challenge and the mobile's SSD. If the mobile is 
verified as authentic by comparison of the authentica- 
tion responses, the mobile's SSD and other relevant da- 
ta, including the call count value, the mobile is regis- 
tered. 

[0009] When a mobile attempts system registration/ 
call setup access in a visited system, the current global 
challenge response is used to compute, in the mobile, 
the 18-bit authentication response from the mobile's 
SSD. An access request message is then sent to the 
visited system from the mobile. For initial registration ac- 
cesses in a visited system, the access request message 
includes the authentication response computed in the 
mobile. The authentication response and global chal- 
lenge are then sent to the home system of the mobile, 
where the home system will compute its own response 
value using the global challenge and the mobile's SSD. 
If the mobile is verified as authentic by comparing the 
authentication responses, the mobile's SSD and other 
relevant data, including the call count value, are then 
sent to the visited system and the mobile is registered. 
When a call-involving the mobile is set up, a current au- 
thentication response value and call count are sent to 
the system from the mobile along with the call setup in- 
formation. Upon receiving the call setup information, the 
visited system retrieves the stored SSD and call count 
values for the requesting mobile. The visited system 
then computes an authentication response value to ver- 
ify that the received SSD value and the current global 
challenge produce the same response as that produced 
in the mobile. If the authentication responses and call 
counts match, the mobile is allowed call access. If com- 
munications security is desired, an encryption key is 
produced in both the mobile and system by using the 
global challenge and the mobile's SSD as input to gen- 
erate encryption key bits. 

[0010] Further background for such techniques as 
those used in GSM and the IS-136 and IS-95 systems 
may be found in the article "Techniques for Privacy and 
Authentication in Personal Communications Systems" 
by Dan Brown in IEEE Personal Communications dated 
August 1995, at pages 6-10. 

[0011] While the above-described private key proce- 
dures used in the GSM and the IS-136 and IS-95 sys- 
tems provide communications security, none of these 
procedures is entirely immune to interception and 
eavesdropping. All the procedures require that a user's 
A-key or Ki value be known both in the mobile station 
and home system. They also require that the user's SSD 
or Kc value be known at both ends of the communica- 
tions link, i.e., in the system and in the mobile. Each of 
these values could potentially be corrupted and become 
known to a potential interceptor. An individual knowing 
the Ki or A-key of a user or an individual who intercepts 
the Kc or SSD of the user in intersystem communica- 
tions could potentially intercept and eavesdrop on com- 



munications that were intended to be secure and pri- 
vate. Additionally, since each user's keys are available 
at a base station with which they are communicating, 
encrypted communications involving two mobile sta- 

5 tions connected through a base station of a system 
could be breached at the base station. 
[0012] Public key encryption methods are methods in 
which a user is assigned an encryption key that is public, 
i.e., maybe known and revealed publicly, but is alsoas- 

10 signed a private decryption key that is known only to the 
user. Only an intended receiving user's decryption key 
can decrypt an encrypted message meant for the in- 
tended receiving user, i.e., decrypt a message encrypt- 
ed using the intended receiving user's encryption key. 

is In order to send a secure message to an intended re- 
ceiver a user would encrypt the message using the in- 
tended receiver's encryption key before sending the 
message. When the intended receiver received the en- 
crypted message, the intended receiver would decrypt 

20 the message using the intended receiver's decryption 
key. In a public key encryption telecommunication sys- 
tem, the user would be allowed to keep the decryption 
key to himself, away from base stations or the system. 
Since the key necessary for decrypting a message is 

25 known only to the receiving user, public key encryption 
methods could provide more secure communications 
than are obtainable with the current encryption tech- 
niques being used in, for example, GSM. IS-136, or IS- 
95. 

30 [0013] Public key encryption methods provide the 
added advantage in that a message can be encoded 
and subsequently decoded by first applying the encryp- 
tion key of a receiving user to a message to encode be- 
fore transmission and then applying the decryption keys 

35 of the receiving user after reception to decode, or by first 
applying the decryption key of a sending user to a mes- 
sage to encode before transmission and then applying 
the encryption key of the sending user in the receiver 
after reception to decode, A first user can sign a mes- 

^0 sage by applying the first user's decryption key to a mes- 
sage and sending both the signed message and a copy 
of the message. Upon receiving the message, a second 
user can verify that the message came from the first user 
by applying the first user's encryption key to the received 

45 signed message and checking to see if the result is the 
same as the received copy of the message Since only 
the first user knows the first user's decryption key, the 
copy of the message and the signed message (after ap- 
plication of the encryption key) received by the second 

50 user will be identical only if sent by the first user. Also, 
Digital Signature Standard (DSS) or Elliptic Curve Dig- 
ital Signature Algorithms (ECDSA), which are based on 
public key algorithms, can be used to digitally sign a 
message even though they cannot be used for encryp- 

55 tion. In these cases, a public encryption key provides 
verification of a signature on a message input, and a 
private decryption key is used to sign the message. 
[001 4] With wireless communications becoming such 
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an important factor in everyday life, the use of this tech- 
nology to perform electronic commerce, such as tele- 
ban king : electronic payment and investments, has been 
proposed. Wireless services using end-to-end and 
store-and-forward features may be used to provide such s 
electronic commerce. Short message services (SMS), 
General Pocket Radio Services (GPRS), cellular digital 
pocket data network (CDPD), and narrow band socket 
(NBS) are examples of these wireless services. 
[0015] In any electronic commerce it would be desir- 10 
able for certain security features to be provided. The 
identity of a message sender must be verifiable and the 
integrity of the message must also be verifiable, i.e., it 
must not be possible for anyone other than the sender 
to alter the message. The sender should not be able to is 
repudiate the message. The privacy of the message 
should also be maintained. Additionally, it would be de- 
sirable to receive confirmation of any transaction con- 
nected to the message from the receiving party. 
[0016] Methods have been proposed for end-to-end 20 
encryption based on symmetric algorithms in services 
such as SMS; however, these symmetric algorithms of- 
fer authentication and privacy but not nonrepudiation. 
Also t integrity can be undermined at the receiver since 
the integrity in a symmetric algorithm is provided by an 2s 
encryption function using the message as input and the 
same encryption function is used to decrypt the mes- 
sage. Since the message and encryption key are both 
known to the receiver of the message, the receiver could 
alter the message contents. For example, a bank could 30 
create a false transaction request using the encryption 
function and claim a customer requested a particular 
transaction. 

[0017] Against this background the present invention 
aims to provide a method-for sending a secure commu- 3S 
nication in a telecommunication system, and a secure 
process for end-to-end and store-and-forward messag- 
es sent from a first service userto a second service user. 
Accordingly, in one aspect there is provided a method 
for sending a secure message in a telecommunications 40 
system having a plurality of transceivers, said method 
comprising the steps of: assigning a first decryption key 
and a first encryption key to a first transceiver, and as- 
signing a second decryption key and a second encryp- 
tion key to a second transceiver: assigning a third de- 45 
cryption key and a third encryption key to a message 
center; forming a first and a second certificate within 
said message center, said first certificate including said 
first encryption key and a first authentication value, and 
said second certificate including said second encryption so 
key and a second authentication value, wherein said 
first and second authentication values are calculated us- 
ing said third decryption key on a first and second au- 
thentication parameter, respectively; transmitting a first 
message from said first transceiver to said message ss 
center, said first message including information indicat- 
ing a request to transmit a communication from said first 
transceiver to said second transceiver; transmitting a 



second message from said message center to said first 
transceiver, said second message including said sec- 
ond certificate; authenticating said second certificate at 
said first transceiver by using said third encryption key 
on said second authentication value to generate a first 
result and comparing said first result with said second 
authentication parameter as known in said first trans- 
ceiver: selecting a session key at said first transceiver; 
forming a third message, at said first transceiver, said 
third message comprising a first message portion com- 
prising said session key encrypted using said second 
encryption key, a second message portion comprising 
said communication encrypted using said session key, 
and an integrity value computed by using said first de- 
cryption key on an integrity parameter; transmitting said 
third message to said message center said third mes- 
sage including said first and second message portions 
and said integrity value; transmitting said first certificate 
and said third message from said message center to 
said second transceiver; authenticating said first certif- 
icate at said second transceiver by using said third en- 
cryption key on said first authentication value to gener- 
ate a second result and comparing said result with said 
first authentication parameter as known in said second 
transceiver; calculating said session key from said first 
message portion using said second decryption key and 
decrypting said communication from said second mes- 
sage portion using said session key: and checking the 
integrity of said third message using said first encryption 
key on said integrity value to generate a third result and 
comparing said third result with said integrity parameter 
as known in said second transceiver. The process al- 
lows each service user to be verified by the other, pro- 
vides an integrity check on the message, and disallows 
repudiation of the communication by the sending user. 
This provides an advantage over symmetric point-to- 
point algorithm where the key used to encrypt a com- 
munication must be known by both the sending and re- 
ceiving service users. 

[0018] In an embodiment of the invention, a first trans- 
ceiver is assigned first identifying information, a first en- 
cryption key and a first decryption key. and. a second 
transceiver is assigned second identifying information, 
a second encryption key and a second decryption key 
A short message service center (SMSC) is assigned a 
third encryption key and a third decryption key The de- 
cryption keys are private and known only to the holder. 
The encryption keys are public and may be distributed 
throughout the system. An authentication certificate for 
each of the first and second transceivers is generated 
within the SMSC, with the authentication certificate in- 
cluding the identifying information and encryption key of 
the transceiver for which it is generated. Each authen- 
tication certificate also includes a authentication value 
generated using the third decryption key of the SMSC 
to sign the authentication value. Alternatively the third 
encryption and third decryption keys could be assigned 
to a third party, and the third party could assign the au- 
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thentication certificates. This third party could be a bank 
or some other secure party. The secure communication 
could then pass through this third party, or the SMSC 
could access the information from the third party. 
[001 9] The authentication values in the authentication 
certificates generated by applying the third decryption 
key may be generated by inputting the first identifying 
information and first encryption key into a authentication 
function and then applying the third decryption key to 
the function output to generate the authentication value 
of the first transceiver and, inputting the second identi- 
fying information and second encryption key into the au- 
thentication function and applying the third decryption 
key to the function output to generate the authentication 
value for the second transceiver. The third decryption 
key is used for signing the authentication value, and the 
third encryption key is used to verify the signed authen- 
tication value in this embodiment. The input used to gen- 
erate the authentication value of each certificate may 
then be made known to a receiver, for authentication of 
the certificate, by the inclusion of the unencrypted iden- 
tifying information and encryption keys in the appropri- 
ate authentication certificate when the authentication 
certificate is-sent to the receiver. 
[0020] In the message process t the user of the first 
transceiver sends a message to the SMSC indicating 
that the user wishes to send a secure communication to 
the user of the second transceiver by SMS. The SMSC 
sends the authentication certificate of the second trans- 
ceiver back to the first transceiver in response. This au- 
thentication certificate includes the second identifying 
information, the second encryption key and the authen- 
tication value of the second transceiver. The authenticity 
of the certificate is verified at the first transceiver by ap- 
plying third encryption key to the received authentication 
value and comparing this result to the output of the func- 
tion having the received second identifying information 
and second encryption key as inputs. The authentica- 
tion function used to generate the certificates and third 
-encryption key are assumed to be known in the first 
transceiver. 

[0021] If the authenticity of the authentication certifi- 
cate for the second transceiver is verified, a session key 
is generated in the first transceiver. The session key is 
then encrypted using the second encryption key that 
was received in the certificate of the second transceiver. 
The communication to be sent is also encrypted using 
the unencrypted session key. Also, the first decryption 
key is used to generate a integrity value. In the embod- 
iment the integrity value may be generated by applying 
first decryption key to the output of a integrity function 
that has been generated using at least one input that is 
known only the first and second transceivers. This in- 
tegrity function may be the same as the authentication 
function used in forming the authentication certificates. 
The integrity value may be generated by inputting the 
unencrypted communication and unencrypted session 
key into the integrity function and then applying the first 



decryption key. The encrypted session key, encrypted 
communication and integrity value are then sent by SMS 
to the SMSC. 

[0022] When the second transceiver is available to re- 
5 ceive the SMS message, the authentication certificate 
of the first transceiver the encrypted session key, en- 
crypted communication and integrity value are sent from 
the SMSC to the second transceiver by SMS. This au- 
thentication certificate includes the first identifying infor- 
10 mation, the first encryption key and the authentication 
value of the first transceiver. The authenticity of the cer- 
tificate is verified at the second transceiver by applying 
the third encryption key tc he received authentication 
value and comparing this result to the output of the au- 
15 thentication function having the received first identifying 
information and first encryption key as input. The au- 
thentication function used to generate the certificates 
and third encryption key are to be known in the second 
transceiver. 

20 [0023] If the authenticity of the authentication certifi- 
cate for the first transceiver is verified, the session key 
is recovered in the second transceiver by applying the 
second decryption key The communication is then de- 
crypted using the recovered session key A final check 

2S on the integrity of the message is also performed by ap- 
plying the first encryption key to the integrity value re- 
ceived in the integrity certificate and comparing this re- 
sult to a value calculated by inputting the communication 
and session key into the integrity function. 

30 [0024] A more complete understanding of the method 
and apparatus may be had by reference to the following 
detailed description when read in conjunction with the 
accompanying drawings wherein: 

35 FIG. 1 illustrates a block diagram of a telecommu- 
nications system that provides secure mes- 
sage service according to an embodiment of 
the invention; and 

40 FIG. 2 is a flow diagram showing process steps per- 
formed to provide a secure message service 
within the telecommunications system of 
FIG. 1. 

45 [0025] FIG. 1 illustrates a block diagram of a telecom- 
munications system 100 constructed according to an 
embodiment of the invention. System 100 comprises 
base stations B1 and B2, short message service center 
(SMSC), security center (SC), mobile stations M1 and 

so M2, mobile switching centers (MSC1 and MSC2), land- 
line network (LLN) and landline telephone (LI). Al- 
though shown to include two base stations and two mo- 
bile stations,, system 100 may comprise more or less 
base stations or mobile stations than are shown in FIG. 

55 t. The mobile stations Ml and M2 may be mobile tele- 
phones that provide speech communications between 
a user of Ml or M2 and another mobile telephone, or 
between the user and land tine telephone L1 connected 
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to landline network LLN. Mobile stations M1 and M2 may 
also be any other type of mobile communications device 
capable of operating according to the system standard 
for system 1 00, such as a personal communications de- 
vice or a laptop computer operating through a wireless s 
modem. Landline network LLN may be a public switched 
telephone network (PSTN) or a private landline network. 
Mobile switching centers MSC1 and MSC2 control call 
routing, registration and hand-off a mobile from one 
base station to another in system 100. In system 100, u 
mobile stations M1 and M2 may move about the cover- 
age area base stations B1 and B2 while communicating 
with system 1 00 through RF links. In FIG. 1 , mobile sta- 
tions M1 and M2 are shown to be communicating with 
base stations B1 and B2, respectively, over RF links 1 44 is 
and 146, respectively. Communications may be accord- 
ing to any telecommunications system standard that 
provides a digital interface over the RF links between 
mobile stations M1 and M2 and base stations B1 and 
B2. The design and operation of digital telecommunica- 20 
tions systems and the use of short message services 
(SMS) is known and will not be described in detail here. 
System 100 may be implemented in any number of 
ways, for example, the digital RF interface in system 1 00 
may operate according to a standard similar to the Tel- 25 
ecommunications Industry Association/Electronic In- 
dustry Association (TIA/EIA) IS-136, IS-95, and PCS 
1 900 standards or the European GSM standard. 
[0026] Referring now to FIG. 2, therein is a flow dia- 
gram showing process steps performed to provide a se- 30 
cure message service within the telecommunications 
system of FIG. 1. In this embodiment a user of M1, for 
example, is able to send a secure short message serv- 
ice (SMS) message to the user of M2 or L1 . 
[0027] A designated party, which may be, for exam- 35 
pie, a bank or the system operator, issues authentication 
certificates to SMS users. The certificate issuer uses a 
public key Algorithm AO having a public encryption key 
EO and a private decryption key DO. A function f(t,p) is 
also defined so that it is computationally impossible to 40 
have any two different pairs of the variables t and p giv- 
ing the same result for f(t,p), i.e., if different pairs of val- 
ues fort and p are randomly chosen, the chances of f(t, 
p) generating the same result is near zero. For example, 
the function f(t,p) may be a hushing function H(Op) that *s 
is commonly used to shorten transmitted messages, 
where the value (Op) is the concatenation between t 
and p, i.e., Op is a binary number formed from both t 
and p. EO and AO are known at all sending and receiv- 
ing parties using the secure SMS. so 
[0028] A user X will choose a public algorithm with a 
public encryption key Ex and a private decryption key 
Dx. User X is also assigned a distinguishable identity x. 
The certificate of user X is defined to be the triplet (x, 
Ex, Cx) where Cx = D 0 (f(x,Ex)). Cx is the authentication ss 
value used to authenticate the certificate. f(x,Ex) may 
be the function described above. for f(t,p). The certifi- 
cates for each user may be stored in the network. In the 



embodiment of FIG. 1 , the certificates are stored within 
security center SC : which has a secure connection to 
the SMSC. 

[0029] Due to the limitation of the message length in 
SMS, in the described embodiment the Elliptic Curve 
Cryptosystem (ECC) may be used for the signing and 
verification of the authentication certificates using EO 
and DO. In ECC an elliptic curve E over a finite field F 2 m 
(m = 160) is chosen. A point p on the curve is fixed. The 
userx's public key is then bp, and the user's private key 
is b, where b is some integer and the user's certificate 
C x = Dof(x.bp). If ECDSA is used by the trusted party 
C x is about 320 bits long. The encryption of m may be 
done by selecting a random integer k and computing kp 
and k(bp) from a sum operation on the elliptic curve. 
Methods of using the sum operation on the elliptic curve 
are known. See N. Koblitz, A Course in Number Theory 
and Cryptography, Springer- Verlag (1994). Kp is then 
concatenated with the exclusive-or of m and k(b'p) to en- 
crypt m. To decrypt the operation b(kp)e(m©k(bp)) is 
performed at the receiver. 

[0030] Alternatively, if a message service provides a 
larger bandwidth capability, the key functions Ex and Dx 
may be chosen according to the Rabin criteria. In the 
Rabin algorithm for this example, two prime numbers p 
and q are chosen using a selected predefined number 
N, where p x q = N, and p=4^ + 3, and q= 4 k 2 + 3, and 
where k, and kg are constants. N may be publicly known ; 
while p and q must be kept private. Ex is defined as Ex 
(c) = (c) 2 mod Nx, and Dx is defined as Dx(c) = c 1/2 mod 
Nx, where c is the encrypted value. To solve Dx(c) for 
c 1/2 , the equations x 2 = c mod p, and, x 2 = c mod q, are 
solved using the solutions, x, = ± c<P +1 )' 4 ,and : x 2 = ± 
c (q+i)/4 jf two va | ues a and b are found such that ap + 
bq = 1 , then c 1/2 can be found by the equation c 1/2 = bq 
apx 2 mod Nx. The certificate Cx = D0(f(x ; Nx)) = (f 
(x,Nx)) 1/2 mod NO if Rabin is used by the SMSC. Aback- 
ground description of the Rabin algorithm is given in the 
book Cryptography, Theory and Practice by Stinson, 
published by CRC, 1995, at pages 143-148. 
[0031] As another alternative, the key functions Ex 
and Dx may be chosen according to the Rivest. Shamir 
and Adleman (RSA) criteria In RSA two (large) prime 
numbers p and q are first selected, where p x q = N. Two 
other values, a2 and b2, are then chosen, where (a2) 
( b2) = 1 mod (p-1)(q-1). N and a2 may be public, and 
b2 must be kept private. Ex and Dx are then defined as 
Ex(c) = (c)a2 mod N, and Dx = (c) b2 mod N, the certificate 
C x = DO(f(x,a2,N)). A detailed description of the RSA 
algorithm is given in the book Digital Money by Lynch, 
et al., published by John Wiley and Sons. 1 996. at pages 
76-86. 

[0032] Referring again to FIG. 2, and using an exam- 
ple of M1 sending a secure SMS message to M2 : the 
process starts at step 202 when M1 sends an initiating 
message to the SMSC. The initiating message may be 
an SMS message addressed to the SMSC and include 
information indicating that M1 is to send a secure SMS 
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to M2. 

[0033] The SMSC responds by retrieving the certifi- 
cate of M2 (M2, E m2 , D c (f (m 2 , E m2 ))) from the security 
center SC and sending the certificate of M2 to M1 in an 
SMS message. Next, at step 206, the certificate of M2 
is authenticated in M1 . The authentication is performed 
by determining if E 0 (D 0 (f (m 2 , E m2 ))) = f (m 2 , E m2 ). If 
E G (D Q (f (m 2 ,, E m2 ))) = f (m 2 , E m2 ), the process moves 
to step 208. If, however, E Q (D 0 (f (m 2 , E m2 ))) is not equal 
to f (m2, E m2 ), the process moves to step 230 and ends. 
[0034] At step 208 a session key k is generated in M1 . 
This session key k is for a symmetric algorithm known 
at M1 and M2, so that a message can be encrypted and 
decrypted at M1 and M2 using k. Next, at step 210 the 
second public encryption key is used to encrypt k, k itself 
is used to encrypt x to generate Ek(x), where Ek indi- 
cates encryption using k, and the first decryption key is 
applied to the output of an integrity function f(k,x), hav- 
ing k and x as inputs to generate D m1 (f(k,x). The value 
D m1 (f(k t x) is the integrity value used to check the of in- 
tegrity x. These three values are used to form a mes- 
sage P. The message P may be formed by concatenat- 
ing E m2 (k), Ek(x) and Dm1(f(k,y)) into one field, i.e., P 
= E m2 (k) □ Ek(x) □ D ml (f(k,x)). At step 212, M1 sends 
P to the SMSC in an SMS message. At 214 P is stored 
in the SMSC. When M2 is available, the SMSC will send 
the SMS message to M2. This may be done upon reg- 
istration of M2 in system 100, or if M2 is already regis- 
tered, the SMSC may page M2. The process will con- 
tinue at step 216 until M2 is available. When M2 is avail- 
able, the process moves to step 218. At step 218, the 
SMSC sends the certificate of M1 (m-,, E m1 , Do^m,, 
E m1 ))) to M2 and at step 220 the SMSC sends P to M2. 
After the certificate of M1 is received, the certificate is 
authenticated in M2 in step 222, The authentication is 
performed by determining if E 0 (D 0 (f (m-, E m1 ))) = f(m v 
E ml ). If EoPofltrrH E ml ))) = f(m v E ml ). the process 
moves to step 224. If, however, E 0 (D 0 (f(m 1 E m1 ))) is not 
equal to i(m A , E m1 ), the process moves to step 232 and 
ends. 

[0035] At step 224 the session key k is computed in 
M2. k is computed from k = D m (E m2 (k)). Next, at step 
226 the message x is decrypted in M2. X is decrypted 
from x = Dk (Ek(x)), where Dk indicates decryption using 
k. The integrity of P is then checked at step 228. The 
integrity is checked by determining if E m1 (D m1 (f(k,x))) = 
f(k 1 x). If E m1 (D m {f(k,x))) = f(k,x) the process moves to 
step 236. At step 236 the valid message x is read in M2. 
If, however, E ml (D m (f(k,x))) is not equal to f(k.x), the 
process moves to step 234 and ends. 
[0036] In the process of FIG. 2, both M1 and M2 are 
authenticated through their certificates. Message integ- 
rity and nonrepudiation are verified by using D m1 (f (k,x)). 
M1 cannot deny sending the message since D ml is 
known only to Ml . No one can change the contents of 
x since D ml (f(k>x)) would take on a different value. The 
privacy of the message x is provided by Ek(x). 
[0037] Although described in the context of particular 



embodiments, it should be realized that a number of 
modifications to these teachings may occur to one 
skilled in the art. By example, in the authentication of 
the authentication certificates, the authentication value 
5 may be calculated by using values other than the en- 
cryption key and identity information included in and 
sent with the certificate. If other values are known to both 
the SMSC and the authenticating transceiver these val- 
ues could be used to authenticate that the authentica- 
te tion value was encrypted using the decryption key of the 
SMSC. Also, by example, the method may be used in 
other services having store and forward capability. The 
message center in this case could, for example, be re- 
placed by a bank-owned store and forward device. 
is Thus, while the invention has been particularly shown 
and described with respect to preferred embodiments 
thereof, it will be understood by those skilled in the art 
that changes in form and scope may be made therein 
without departing from the scope and spirit of invention. 

20 

Claims 

1. A method for sending a secure message in a tele- 
25 communications system having a plurality of trans- 
ceivers, said method comprising the steps of: 

assigning a first decryption key and a first en- 
cryption key to a first transceiver, and assigning 
30 a second decryption key and a second encryp- 

tion key to a second transceiver; 

assigning a third decryption key and a third en- 
cryption key to a message center; 

35 

forming a first and a second certificate within 
said message center, said first certificate in- 
cluding said first encryption key and a first au- 
thentication value, and said second certificate 
40 including said second encryption key and a 

second authentication value, wherein said first 
and second authentication values are calculat- 
ed using said third decryption key on a first and 
second authentication parameter, respectively; 

45 

transmitting a first message from said first 
transceiver to said message center, said first 
message including information indicating a re- 
quest to transmit a communication from said 
so first transceiver to said second transceiver; 

transmitting a second message from said mes- 
sage center to said first transceiver said sec- 
ond message including said second certificate: 

55 

authenticating said second certificate at said 
first transceiver by using said third encryption 
key on said second authentication value to gen- 
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erate a first result and comparing said first re- 
sult with said second authentication parameter 
as known in said first transceiver; 

selecting a session key at said first transceiver: s 

forming a third message, at said first transceiv- 4. 
er, said third message comprising a first mes- 
sage portion comprising said session key en- 
crypted using said second encryption key, a 10 
second message portion comprising said com- 
munication encrypted using said session key, 5. 
and an integrity value computed by using said 
first decryption key on an integrity parameter; 

15 

transmitting said third message to said mes- 
sage center said third message including said 
first and second message portions and said in- 
tegrity value; 

20 

transmitting said first certificate and said third 
message from said message center to said 
second transceiver; 

6. 

authenticating said first certificate at said sec- 25 
ond transceiver by using said third encryption 
key on said first authentication value to gener- 
ate a second result and comparing said result 7. 
with said first authentication parameter as 
known in said second transceiver; 30 

calculating said session key from said first mes- 
sage portion using said second decryption key 8. 
and decrypting said communication from said 
second message portion using said session 3S 
key; and 



said second authentication parameter, applying 
said third encryption key to said second authentica- 
tion value to generate said first result, and compar- 
ing said first result and said second authentication 
parameter. 

The method of claim 3, wherein said first authenti- 
cation value is formed by applying said authentica- 
tion function to said first identifying information and 
said first encryption key. 

The method of any of claims 1 to 4, wherein said 
step of authenticating said first certificate at said 
second transceiver comprises applying said au- 
thentication function to said first identifying informa- 
tion and said first encryption key received from said 
message center in said first certificate to generate 
said first authentication parameter, applying said 
third encryption key to said first authentication value 
to generate said second result, and comparing said 
second result and said first authentication parame- 
ter. 

The method of claim 5, wherein said third encryp- 
tion key and said third decryption key are chosen 
and applied according to an ECC-type algorithm. 

The method of claim 5, wherein said first, second 
and third encryption keys and said first, second and 
third decryption keys are chosen and applied ac- 
cording to an RSA-type algorithm. 

The method of claim 5 wherein said first, second 
and third encryption keys and said first, second and 
third decryption keys are chosen and applied ac- 
cording to a Rabin-type algorithm. 



checking the integrity of said third message us- 
ing said first encryption key on said integrity val- 
ue to generate a third result and comparing said 
third result with said integrity parameter as 
known in said second transceiver. 

2. The method of claim 1 , wherein said step of assign- 
ing further comprises assigning first identifying in- 
formation to said first transceiver and assigning 
second identifying information to said second trans- 
ceiver, and wherein said second authentication pa- 
rameter is formed by applying an authentication 
function to said second identifying information and 
said second encryption key. 

3. The method of claim 1 or claim 2, wherein said step 
of authenticating said second certificate at said first 
transceiver comprises applying said authentication 
function to said second identifying information and 
said second encryption key received from said mes- 
sage center in said second certificate to generate 



9. The method of claim 3, wherein said third encryp- 
tion key and said third decryption key are chosen 

to and applied according to an ECC-type algorithm. 

10. The method of claim 3, wherein said first, second 
and third encryption key and said first, second and 
third decryption keys are chosen and applied ac- 

4* cording to an RSA-type algorithm. 



11. The method of claim 3, wherein said first, second 
and third encryption keys and said first, second and 
third decryption keys are chosen and applied ac- 
cording to a Rabin-type algorithm. 



so 



12. The method of claim 3, wherein said integrity pa- 
rameter used to compute said integrity value in said 
step of forming a third message comprises the out- 
55 put of an integrity function having said session key 
and said communication as input, and wherein said 
step of checking the integrity of said third message 
comprises inputting said session key and said com- 
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munication as input to said integrity function to gen- 
erate said integrity parameter as known in said sec- 
ond transceiver. 
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